Search

Subscribe

Eavesdropping on Bluetooth Automobiles

This new toool is called The Car Whisperer and allows people equipped with a Linux Laptop and a directional antenna to inject audio to, and record audio from bypassing cars that have an unconnected Bluetooth handsfree unit running. Since many manufacturers use a standard passkey which often is the only authentication that is needed to connect.

This tool allows to interact with other drivers when traveling or maybe used in order to talk to that pushy Audi driver right behind you ;) . It also allows to eavesdrop conversations in the inside of the car by accessing the microphone.

Whether you follow the car depends largely on whether you want to eavesdrop while the target vehicle is moving - I can imagine some people would rather eavesdrop while the vehicle is 'parking'. (adds new meaning to 'in car entertainment')

That's correct. Experiments that led to the (media friendly) BlueT sniper rifle were able to sniff up to a mile or so away:http://bluedriving.com/

But I like the point in the article where they recommend using this technique to talk to people following too closely. Imagine an always-on BlueT signal that alerted/interfered with cars near the rear of your vehicle depending on your speed.

I seriously doubt the manufacturers of automobile BT devices are worried. This looks like it would affect maybe one in ten million vehicles. And then only for a few seconds or so. Still, it's a good idea to reset the passkey on all BT devices as a standard practice.

Darn. I thought at first he was hacking the car. I was hoping I had an easy way of getting that guy in the left lane with his blinker on for the last 20 miles who's doing 30 MPH under the speed limit to get out of my way... If I'm not mistaken, the Onstar installed in some cars is using bluetooth for internal communications (like between the Onstar module and the GPS, air bag deployment sensor, etc). That could be interesting.

Didn't manufacturers learn back with the first generation of isdn phone equipment 15 years ago that you really positively need a hard off switch? (And then of course they mostly forget that for cell phones)

Unfortunately, radio follows the inverse square law- square the power to double the range. So while a 30dB boost does increase the signal strength by a factor of 1000, the range would go up by a theoretical maximum of sqrt(1000) ~= 30 times. Real world experiments suggest that for short range low power signals it's more like an inverse cube law (diffraction, scattering, etc. cut down the signal even more).

I live near a major artery in a large city - I.e. frequently traveling very slow during rush hour. If i could get 200 yards out of a device, I could sit on my front porch and probably have a reasonably (minute or 2) period on each driver. I could see this being a fun toy - or just trunk mounted while driving.

Dave is correct. Signal strength goes by the inverse square law...so 30 dB means about 30 times in range. (sqrt 1000).
However, folks, an antenna with 30 dB gain has a beamwidth so narrow that
pointing it becomes a serious problem.
There's no free lunch.

While the rage of the devices shown may be limited, the exploit has other uses. Think about the GPS trackers put in cars to see where people have been. Adding the technology to snoop the audio and record or retransmit it should not be too hard.

@Dave:
Minor nitpick, but inverse square law means you quadruple the power to double the range (i.e., square the ratios); squaring the power to double the range would be an exponential law. But your example calculation was correct.

@ECMpuke:
"an antenna with 30 dB gain has a beamwidth so narrow that pointing it becomes a serious problem"

Well, certainly the higher the gain, the more accurately it must be pointed, but 30 dB isn't really in the realm of a "serious" problem. The "half power beamwidth" of a 30 dB antenna of typical type, is about 5 degrees, or about a 50 cm spot on the other side of a 6 metre room. Most people can point more accurately than that by hand, and with any sort of tripod mount it's trivial. It's more difficult (especially in elevation) if you can't see the exact location of the target, but we're still only talking a few minutes of fiddling about.

(For those who don't know, the steradian is the unit of solid angle. It's defined as the area outlined by projecting the solid angle onto the surface of a unit sphere, or equivalently, the area projected onto any sphere, divided by the square of the sphere's radius. Thus, a full sphere is 4 pi steradians. It is abbreviated sr, or more often msr for millisteradian because a whole sr is quite a lot.)

@ECMPuke:
"You do the pointing".

I have. We often use 35 dBi antennae at work, and pointing just isn't as hard as you seem to think. Even a 40 dBi is (just barely) doable by hand.

"One millisteradian is a lot less than one."

I don't think you finished this sentence, but in any case I'd point out that you only need 12.6 msr (4 pi sr in a sphere, divided by 1000). 12.6 msr is the solid angle subtended by a 3 inch circle at 2 feet, i.e. a baseball held at arms length. It is not a particularly fine angle. (Actually, because the beam doesn't have a sharp cutoff, we normally work with the half power beamwidth -- I'm sure you know that, just for other readers -- which is a bit more restrictive; it calculates to about 6 msr in this case.)

"It's like searching the world through a soda straw. Try it some time. It's far from trivial."

Well no, it isn't like searching through a soda straw. The analogy is wrong two ways, first because in "bluesniping" type applications most of the time you would be "searching" with the Mk I eyeball and only using the 30 dB beam for "target acquistion". That's more like pointing the straw at something and then seeing if you can see the target through the straw, a task which in fact is trivial (try it).

Secondly a straw is much tighter than what is required here. A typical soda straw (about 8 in by 0.2 in) gives a solid angle of 0.45 msr. That's an order of magnitude tighter than this requirement. To get a 12.6 msr (30 dB) beam, an 8 in straw would need a diameter of an inch.

Having said that, to "keep myself honest", I did just try some "searching the world through a soda straw" (the same one). Forming a fist around the straw so I couldn't peek around it, I spun myself around on my chair with my eyes closed, opened one eye to look through the straw, then timed myself to find a certain spot of light on the wall (a spot much smaller than 12 msr). By nodding the straw up and down while slowly rotating, I found it in 11 seconds. Not quite trivial, but not very challenging, either. (Yes, it helps quite a bit that I knew it was roughly in the horizontal plane, but that's usually the case for non-aerial targets.)

"By the way...that 30-dB aperture at 2.4 GHz is bigger than a Pringles can. It would take a dish about 4 feet in diameter, in fact."

Well, if we only want good gain and don't care about suppressing sidelobes, you can go with a grid parabola. By no means hand held but practicable to tripod mount; the lightest commercially available 24 dBi one that I have seen was 2 kg, presumably a 30 dBi one would be about 8 kg.

Someone has to set up a tiny gumstix box with a solar panel and rechargeable battery with this software autoscanning (recording/injecting funny audio). Add a USB 3G broadband modem for web updates. Just hide it on top of a set of traffic lights at 3am at a slow junction, listen to the web updates every day!